Courseiva
SY0-701
Full test
hardmulti selectObjective-mapped

Threat intelligence reports a campaign that rotates domains daily and repacks the malware for each delivery. Analysts also observe the same TLS certificate fingerprint, the same mutex name, and the same JA3 client fingerprint across multiple samples. Which three indicators are most useful to prioritize for hunting or blocking? Select three.

Question 1hardmulti select
Full question →

Threat intelligence reports a campaign that rotates domains daily and repacks the malware for each delivery. Analysts also observe the same TLS certificate fingerprint, the same mutex name, and the same JA3 client fingerprint across multiple samples. Which three indicators are most useful to prioritize for hunting or blocking? Select three.

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Best answer

The TLS certificate fingerprint reused by multiple samples.

A reused certificate fingerprint is harder for attackers to change quickly than a daily domain. It can identify infrastructure or tooling reused across campaigns. Because it appears across multiple samples, it is a durable hunting and blocking indicator compared with short-lived hostnames.

B

Best answer

The mutex name created by the malware on infected endpoints.

A unique mutex is often embedded in the malware family and can remain stable across variants. It is useful for endpoint hunting because it reflects how the sample behaves on a host, not just where it connects. That makes it more durable than infrastructure that rotates daily.

C

Best answer

The JA3 client fingerprint observed in outbound TLS sessions.

A repeated JA3 fingerprint can reveal the same malware or tooling even when domains and binaries change. It is a strong network-level hunting clue because it summarizes TLS client behavior. That makes it more resilient than current IP addresses or fresh domains that are intentionally disposable.

D

Distractor review

The current domain name used by the command-and-control server.

The scenario says the domain rotates daily, so it is a poor long-term indicator. It may be useful for temporary blocking, but it is not the most durable clue. Attackers expect defenders to burn these indicators quickly and replace them often.

E

Distractor review

The public IP address currently hosting the malware sample.

Infrastructure IPs can change quickly, especially when adversaries use disposable hosting or fast-flux style setups. This indicator may help short-term blocking, but it is not dependable for long-term hunting. Behavioral and family-specific artifacts are more resilient for this campaign.

Common exam trap

Common exam trap: answer the scenario, not the keyword

Many certification questions include familiar terms but test a specific constraint. Read the exact wording before choosing an answer that is generally true but wrong for this case.

Technical deep dive

How to think about this question

This question should be treated as a scenario, not a definition check. Identify the problem, the constraint and the best action. Then compare each option against those facts.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.
  • Use explanations to understand the rule behind the answer.

TExam Day Tips

  • Underline the problem statement mentally.
  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Security+ social engineering questions

Practise SY0-701 questions linked to Security+ social engineering questions.

Security+ cryptography practice questions

Practise SY0-701 questions linked to Security+ cryptography.

Security+ IAM questions

Practise SY0-701 questions linked to Security+ IAM questions.

Security+ risk management questions

Practise SY0-701 questions linked to Security+ risk management questions.

Security+ incident response questions

Practise SY0-701 questions linked to Security+ incident response questions.

Security+ malware questions

Practise SY0-701 questions linked to Security+ malware questions.

Security+ vulnerability management questions

Practise SY0-701 questions linked to Security+ vulnerability management questions.

Security+ security operations questions

Practise SY0-701 questions linked to Security+ security operations questions.

Security+ zero trust questions

Practise SY0-701 questions linked to Security+ zero trust questions.

Security+ authentication factors questions

Practise SY0-701 questions linked to Security+ authentication factors questions.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?

Question 2

An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?

Question 3

An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?

Question 4

You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?

Question 5

A developer wants to reduce the risk of SQL injection in a new customer search form. Which two changes are the best mitigations? Select two.

Question 6

A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?

FAQ

Questions learners often ask

What does this SY0-701 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: The TLS certificate fingerprint reused by multiple samples. — The most useful indicators are the TLS certificate fingerprint, the mutex name, and the JA3 client fingerprint. Those artifacts tend to persist across repackaging and domain rotation, which makes them better for hunting than transient infrastructure. Because the attacker changes domains daily, defenders should prioritize the more stable behavioral and cryptographic fingerprints that can link samples together. Why others are wrong: A current domain or IP address may help in the moment, but both are easy for the attacker to replace. Since the campaign intentionally rotates infrastructure, those indicators have short shelf life. Durable artifacts that reflect the malware family or its network behavior provide much better detection value.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.